Hacked serverless functions are a crypto-gold mine for miscreants

PureSec, a maker of security software for serverless apps, has been poking about various cloud service providers, and found that hosted functions offer a shortcut to illicit crypto-mining.

Crypto-mining attacks that hijack processing power do best with mass distribution. Those who can harness large numbers of processors – CPUs, GPUs, ASICs – for the proof-of-work calculations needed to generate digital currency can expect better returns than less focused schemes.

Generally, this requires widespread malware distribution or the spamming of weblinks to take intended victims to a central distribution point, such as a compromised website. This website would run crypto-mining code in JavaScript on the page in the visiting browser.

Cloud-based servers present a tempting target, but compromising a large enough number of compute instances on cloud infrastructure providers tends to be difficult. Attackers can scan millions of servers for remote code execution flaws in hosted software – e.g. Drupal – but that sort of thing tends to get noticed and shut down before long.

I think I'm a clone now

Serverlessfunctions provide distribution through self-replication. They can clone themselves on demand, allowing an attacker to turn one vulnerable hosted function into potentially thousands of compute instances simply by making repeated requests to the function.

"One vulnerability is enough," says PureSec in a report scheduled for public release on Tuesday. "Attackers only need to find a single vulnerable serverless function and abuse the inherent auto-scaling nature of the serverless platform in order to mimic the work of hundreds to thousands of machines working in parallel."

Auto-scaling is not a bug but a feature, one that magnifies the potential impact of bugs that do exist. And while serverless functions improve security in some ways – platform providers tend to keep servers up-to-date and patched – they can still include common application-level flaws like vulnerability to cross-site scripting or SQL injection. And then there's the issue of bugs in required libraries.

What's more, the focused nature of this particular attack vector – a single account – makes it more difficult to detect than, say, a sprawling botnet that includes millions of machines.

The risk for victims, beyond the usual remediation headaches, is a massive bill from spinning up thousands of servers – AWS Lambda, for example, has a concurrent execution limit of 1,000 by default.

PureSec, keen to pitch its code as a cure for this ill, suggests the bill for victims could reach US$120,000 per month. Cost-conscious cloud customers, however, are likely at least to have set up billing alerts to send word when costs skyrocket.

It should also be possible to shut down cloud computing resources programmatically once expenses reach a specified point, but none of the major cloud providers appear to offer this out of the box – it appears they'd rather not make it too easy for customers to limit spending. ®